At least one node-ipc npm package users
May 14, 2026
•[ supply chain attack, malicious package, credential theft ]
Attackers abused a dormant node-ipc npm maintainer account, likely after re-registering an expired maintainer email domain, and published malicious node-ipc versions 9.1.6, 9.2.3, and 12.0.1 on May 14, 2026. The packages contained an obfuscated credential-stealing payload that harvested developer and CI/CD secrets and exfiltrated them through DNS TXT queries.
RubyGems.org
May 12, 2026
•[ malicious packages, supply chain attack, bot accounts ]
RubyGems.org temporarily suspended new account registrations after threat actors used bot accounts to push more than 500 junk or malicious packages, including packages carrying exploits. Existing packages were not compromised, and gem installs and pushes for existing users were unaffected while maintainers tightened account-creation rate limiting and WAF protections.
Kelp DAO
April 19, 2026
•[ DDoS, RPC poisoning, Cryptocurrency theft ]
NGB 3rd Technical Surveillance Bureau (TraderTraitor) compromised and poisoned LayerZero RPC infrastructure, launched a DDoS to force failover to the poisoned nodes, and delivered a malicious instruction that drained 116,500 rsETH, worth roughly $292 million, from Kelp DAO.
CPUID (cpuid.com)
April 9, 2026
•[ malware distribution, supply chain attack, api compromise ]
CPUID confirmed that a secondary website/API feature was compromised between April 9 and April 10, 2026, causing official download links for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor to redirect to attacker-controlled infrastructure serving malware; CPUID said its signed original files were not modified.
At least one DAEMON Tools user in government, scientific, manufacturing, retail, or education sectors
April 8, 2026
•[ supply chain attack, malware, trojanized installers ]
Threat actors compromised official DAEMON Tools installers distributed from the vendor website beginning April 8, 2026. The trojanized installers executed malware on infected Windows hosts, collected system information, and in selected cases deployed additional backdoor payloads. Reporting identified second-stage payloads on roughly a dozen machines in government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand, and QUIC RAT on one Russian educational institution. The specific perpetrator was not publicly identified.
Pitney Bowes
April 8, 2026
•[ phishing, extortion, data leak ]
Pitney Bowes identified unauthorized access to certain records in its Salesforce customer relationship management environment on April 9, 2026, after a phishing attack compromised an employee email account the previous night. ShinyHunters claimed to have obtained Pitney Bowes data as part of a broader extortion campaign and later released data containing 8.2 million unique email addresses, names, phone numbers, physical addresses, and some employee job-title records. Irish reporting separately confirmed that 137 Revenue Commissioners employees were affected through the Pitney Bowes supplier breach, with professional contact details exposed but no Revenue passwords or taxpayer data stolen.
Anodot
April 4, 2026
•[ data breach, token theft, unauthorized access ]
ShinyHunters allegedly breached Anodot, causing its data connectors to stop working and enabling downstream customer cloud-data access through stolen tokens.
Axios Javascript Client Library
March 31, 2026
•[ supply chain attack, account takeover, malware ]
A threat actor hijacked the npm account of Axios's lead maintainer and published malicious versions 1.14.1 and 0.30.4 with a hidden dependency that deployed a RAT on systems that installed the packages; the poisoned versions were later removed.
LiteLLM
March 24, 2026
•[ supply chain attack, malware, credential theft ]
TeamPCP used compromised release access to publish malicious LiteLLM versions to PyPI, embedding code that exfiltrated secrets and established persistence on systems that installed the poisoned packages.
Checkmarx
March 23, 2026
•[ supply chain attack, malware distribution, compromised artifacts ]
TeamPCP used compromised Checkmarx distribution channels to publish malicious versions of developer tooling, exposing users who downloaded the affected artifacts during the publication window.
Trivy
March 19, 2026
•[ supply chain attack, malicious code, credential-stealing malware ]
TeamPCP compromised Trivy-related release components and published malicious code that turned trusted Trivy software artifacts into delivery vehicles for credential-stealing malware.
Duet Night Abyss
March 18, 2026
•[ malware, infostealer, supply chain attack ]
Kotaku reported that on March 18, 2026 Duet Night Abyss players PCs were infected after a malicious update was pushed through the games launcher. The malware was identified by users antivirus products as 'Trojan:MSIL/UmbralStealer.DG!MTB' (Umbral Stealer), an infostealer capable of logging keystrokes, taking screenshots, and attempting to harvest sensitive information such as passwords and cryptocurrency-related data. The developers said they addressed the issue and apologized, describing it as an external malicious attack spread via the launcher update.
Roan and Eurocamp
March 16, 2026
•[ data breach, phishing, supply chain attack ]
Roan and Eurocamp disclosed that an unauthorized third party exploited a vulnerability in a third-party technology provider on March 16, 2026 and stole guest booking data later used in WhatsApp scam attempts; no encryption was reported.
Undisclosed contractor supporting National Bank of Ukraine numismatic online store
February 19, 2026
•[ data leak, supply chain attack, cyberattack ]
Attackers breached an undisclosed contractor supporting the National Bank of Ukraine's numismatic online store, potentially exposing customer registration and delivery data; the online store was temporarily taken offline while the incident was investigated.
eScan Antivirus (MicroWorld Technologies)
January 20, 2026
•[ supply chain attack, malware delivery, software update ]
Attackers breached an eScan update server and replaced a legitimate update file with a malicious executable, resulting in malware delivery to customers via the software supply chain without confirmed data theft or operational disruption.
Trust wallet
December 24, 2025
•[ supply chain attack, cryptocurrency theft, malicious browser extension ]
Trust Wallet said a December 24, 2025 incident led to roughly $8.5M stolen from more than 2,500 crypto wallets after attackers published a malicious version of its Chrome extension (v2.68.0) containing a JavaScript payload that collected sensitive wallet data and enabled unauthorized transactions. Trust Wallet stated that developer GitHub secrets were exposed, giving the attacker access to extension source code and a Chrome Web Store API key; with that key, the attacker could upload builds directly, bypassing Trust Wallets internal approval/manual review process. Trust Wallet said it revoked release APIs, coordinated registrar action to suspend attacker domains used to host malicious code, began reimbursing affected users, and warned about impersonation scams targeting victims.
At least one user of Notepad++
December 12, 2025
•[ vulnerability, supply chain attack, software update attack ]
PCGuia reported that a critical vulnerability in Notepad++s automatic update mechanism was actively exploited, allowing attackers to intercept update traffic and distribute compromised/malicious versions of the software to users of versions prior to 8.8.9. The article states developers urged users to avoid the built-in updater and instead manually download the installer from the official site or trusted repositories. It also cites reporting that several organizations suffered serious breaches shortly after updating, and notes that the mitigations in version 8.8.9 included forcing the update URL to GitHub and improvements related to certificate/signature verification. The specific attacker identity, the full list of affected downstream organizations, and whether any sensitive data was exfiltrated from victims are not detailed in the article.
Trumbull County Recorder’s Office
November 14, 2025
•[ ransomware, data leak, supply chain attack ]
Trumbull County, Ohio reported that a ransomware attack on its third-party vendor C Systems Software led to a security breach affecting systems used for real-estate recordings and property records. County officials said they were alerted around November 14, 2025, and, with help from Ohio Homeland Security and external cybersecurity firm GuidePoint, determined that the same cybercriminals behind the vendor breach had attempted to exploit the county network. While they reported no evidence of successful intrusion into county systems, offices had to fall back on manual processing and suspend some online services for about ten days. The incident is believed to have exposed resident data held by the vendor and has prompted additional security and monitoring measures.
Salesforce customers via Gainsight-published applications
November 8, 2025
•[ data leak, supply chain attack, API abuse ]
A large-scale supply-chain campaign abused OAuth tokens linked to Gainsight-published applications integrated with Salesforce, enabling unauthorized API calls that accessed certain customers Salesforce data; according to Salesforce and multiple security advisories, suspicious activity began around November 8, 2025, and may have affected more than 200 Salesforce instances before tokens were revoked and the apps were pulled from the AppExchange.
Xubuntu
October 18, 2025
•[ malware, data theft, supply chain attack ]
Pplware reports the official Xubuntu site was briefly compromised; the torrent download link served a ZIP with a Windows EXE that stole sensitive data (e.g., crypto addresses). Xubuntu removed the page and accelerated infra migration; ISO mirrors were unaffected. Financially motivated malware delivery via a trusted brand.
